Cyber security has become a core compliance obligation for Australian Financial Services Licence (AFSL) holders. ASIC’s enforcement activity confirms that cyber risk governance is now an integral part of financial compliance expectations. In FY 2024-25, the ACSC received over 84,700 cybercrime reports, averaging one every six minutes, and responded to more than 1,200 cyber security incidents. This 11% year-on-year increase highlights the rising threat facing financial services firms.

For AFSL holders, a structured framework such as SMB1001 Level 3 offers a practical pathway to satisfying cyber security requirements. The AFSL Requirements outline how Level 3 controls align directly with obligations under s912A and ASIC’s cyber resilience expectations.

This article explains the key AFSL cyber security obligations, how SMB1001 Level 3 supports compliance, its limitations, and when higher SMB1001 tiers may be more suitable.

Key AFSL Cyber Security Obligations Under ASIC

ASIC interprets AFSL obligations under s912A as clearly encompassing cyber security. According to AFSL Requirements and BITS, licensees must demonstrate several core elements.

Adequate risk management systems (s912A(1)(h))

AFSL holders must identify, assess and mitigate cyber risks through documented policies, structured processes and continuous review. Cyber risk management must be embedded within organisational governance.

Efficient, honest and fair services (s912A(1)(a))

Cyber incidents that compromise data, disrupt operations or facilitate fraud undermine this obligation. Maintaining service availability, confidentiality, and integrity is central to ASIC’s expectations.

Adequate technological resources (s912A(1)(e))

ASIC requires appropriate infrastructure, current software, firewalls, antivirus tools and qualified IT support. Failing to invest in suitable technology or security capability may be considered a compliance failure.

Compliance arrangements and governance oversight

Policies, procedures, staff training and monitoring are essential for meeting AFSL compliance obligations. Representative oversight is also required to ensure consistent adherence to security standards.

Incident response and reporting expectations

AFSL holders must be able to respond promptly to cyber incidents. Significant breaches can trigger obligations under the Notifiable Data Breaches scheme and may need to be reported to ASIC where they affect licensed activities.

Together, these obligations set the standard against which ASIC assesses whether AFSL holders are taking reasonable steps to manage cyber risk.

SMB1001 Level 3 – A Baseline for AFSL Cyber Compliance

SMB1001 is an Australian cyber security standard specifically designed for small to medium-sized businesses. Level 3 provides an advanced cyber hygiene baseline with 23 controls across people, process and technology. The AFSL Requirements and BITS document outlines how BITS’ managed services align with these controls.

Key SMB1001 Level 3 control areas include:

• Technology management: Firewalls, antivirus across all devices, system patching and updates, and access to specialist technical support.
• Access controls: Individual accounts, strong authentication, multi-factor authentication for email and key applications, and secure remote access.
• Backup and recovery: Reliable backups that support rapid recovery in the event of a cyber incident.
• Policies and procedures: Cyber security policies, an incident response plan, asset registers and secure disposal processes.
• Training and awareness: Regular cyber security training for all personnel.

When AFSL holders use an MSP aligned with Level 3, these controls translate ASIC’s expectations into practical, operational safeguards.

Where SMB1001 Level 3 Excels and Where It Has Limitations

SMB1001 Level 3 aligns strongly with most AFSL cyber security obligations. The AFSL Requirements and BITS document shows significant coverage across key compliance areas.

Strengths of Level 3

• Risk management and governance: Documented cyber security policies, an incident response plan and a maintained digital asset register support structured governance and risk oversight.
• Technological resources: Firewalls, antivirus, regular patching and qualified IT support ensure systems meet ASIC’s expectation of adequate technological resources.
• Incident preparedness: Backups and a documented response plan enable rapid containment and continuity.
• Security culture: Regular user training and policy enforcement support strong internal compliance.
• Technology protection: Multi-layered controls align with ASIC’s expectations for technology protection across core systems.

Limitations of Level 3

While Level 3 forms a strong baseline, some areas require additional measures.

• Breach notification: Level 3 does not specify breach notification steps or reporting timelines for OAIC or ASIC requirements. AFSL holders must define these processes separately.
• Advanced incident response: More sophisticated incidents may require forensic readiness or continuous monitoring, capabilities usually found in higher SMB1001 tiers.
• Representative and third-party oversight: Level 3 includes staff training and policy coverage, but does not encompass structured supplier or representative security programs, which are part of Level 5.
• Continuous monitoring: Real-time monitoring and 24/7 detection capabilities sit outside the Level 3 standard.

These areas can be addressed through enhanced procedures or by adopting a higher SMB1001 certification tier.

Is SMB1001 Level 3 Gold Enough for AFSL Cyber Compliance?

For most small and mid-sized AFSL holders, Level 3 provides a strong and often sufficient foundation. The controls cover essential risk management, governance, and technology needs that ASIC expects to see, and they demonstrate reasonable steps in meeting cyber obligations.

However, Level 3 alone may not meet the needs of AFSL holders with more complex environments or heightened regulatory exposure. Firms that may require more than Level 3 include those with:

• Larger client bases or high data volumes
• Multiple authorised representatives
• Significant supply chain or vendor dependencies
• Products subject to increased regulatory scrutiny
• Greater exposure to targeted cyber threats

In these cases, progressing to Level 4 or Level 5 should be considered.

Should AFSL Holders Consider Higher SMB1001 Tiers?

Higher SMB1001 tiers increase cyber maturity and address gaps that Level 3 does not fully cover.

• Level 4 (Platinum): Level 4 adds enhanced incident response capabilities, more mature monitoring and vulnerability management, and stricter access governance. It suits AFSL holders with elevated risk profiles or firms needing stronger assurance for regulators or stakeholders.
• Level 5 (Diamond): Level 5 includes the full SMB1001 control set, including structured third-party security governance and supplier security programs. This level is suitable for larger AFSL holders, firms with sensitive data holdings, or businesses that require robust assurance for clients and partners.

AFSL holders should consider higher tiers when assessments reveal gaps in monitoring, supplier oversight, breach management or advanced incident handling.

Practical Next Steps for AFSL Holders

1. Map your current controls against AFSL obligations: Identify gaps in incident response, MFA enforcement, training, asset registers or patching processes.

2. Implement SMB1001 Level 3 controls: Level 3 provides a structured baseline aligned with core ASIC expectations, serving as a practical starting point for AFSL cyber compliance.

3. Address Level 3 limitations with targeted enhancements: Define breach notification procedures, run incident response drills and strengthen oversight of authorised representatives.

4. Evaluate the need for Level 4 or Level 5: Consider higher tiers based on your risk profile, organisational structure and regulatory expectations.

5. Review and maintain controls regularly: Cyber risks evolve rapidly, and ASIC expects ongoing diligence and continuous improvement.

Conclusion

Cyber security is now an integral part of AFSL compliance. SMB1001 Level 3 provides a practical and robust foundation for meeting ASIC’s expectations across risk management, technological resources, incident readiness and governance. While Level 3 is suitable for many AFSL holders, some firms may require enhanced capabilities through higher SMB1001 tiers or targeted procedural improvements.

BITS Helps AFSL Holders Strengthen Their Security

BITS can assist AFSL holders in enhancing their cyber security posture by implementing controls aligned with SMB1001 Level 3 and providing support with additional measures as needed. Our team can assess your environment, strengthen governance and help streamline your pathway to certification.

Contact us today to discuss how we can support your cyber security maturity and SMB1001 compliance goals.

Related blogs

• How SMB1001 Certification Supports Compliance with APP 11 and the NDB Scheme
• SMB1001 Certification and Supply Chain Security
• Cyber Security for Australian Businesses: Understanding SMB1001 Requirements